The sophistication, scale and frequency of cybercrime continue to rise. While organizations are concerned about cyber threats, the vast majority of them appear to be acting too slowly to reduce the risks. Businesses in all sectors are scrambling to respond to cyber-attacks, with healthcare, finance and government sectors reporting high volumes of breaches.
To increase resilience and protect against cyber crimes, organizations must fully understand the risks.
- Basic vulnerabilities. A substantial number of cyber attacks are aimed at obvious gaps in enterprise systems. Outdated software patches are an example of an internal risk that are frequently exploited by attackers.
- Human factors. Human error continues to be the main vulnerability for many organizations. Human error can include sending sensitive information to incorrect recipients, accidentally publishing confidential information online and misconfiguring assets to allow for unwanted access.
- Budget constraints. Most organizations have not invested heavily in their security framework. Though this is rapidly changing, security teams do not always attract the budget and resources they need to adopt a proactive approach.
- Third-party risks. It is crucial to understand the security posture of the service and solution providers in your partner ecosystem. Any vulnerabilities in supplier organizations can be a potential entry point for your organization. This was most acutely evident in the SolarWinds network management software hack, which impacted a wide array of U.S. government departments in 2020. The software supply chain represents a key vulnerability for many organizations.
- Business continuity. It is important for an organization to be resilient in the event of a security breach. The absence of business continuity and disaster recovery plans can lead to severe financial and reputational damage.
Technological advancements and digitization are constantly altering the IT environment, making cyber security increasingly difficult to manage. The greatest danger is assuming you will never be a victim of a cyber-attack.
Impacts of cyber crime
A cyber incident can cause a financial loss of millions of dollars, with costs often recurring over a long period of time. With increasing awareness, customers are more conscious about what information they are providing to organizations. Failure to protect your customers' data can lead to loss of trust and to wider, significant reputational damage. This also can lead to further revenue loss or an impact on investors.
Sophisticated cyber crimes, including ransomware and denial of service (DoS) attacks, can cause significant damage. They not only bring business operations to a halt but sometimes involve hefty ransom payments.
The recent attack on the Colonial Pipeline in North America is a stark example. The attack shut down the fuel distribution network and caused chaos as the community anticipated gasoline shortages. In addition to reputational damage, Colonial Pipeline also suffered a direct financial impact, paying $4.4 million dollars to end the attack.
Recent reporting in Australia suggests that over one third of Australian businesses hit by ransomware attacks paid the ransom, and many organizations lack a formal policy for ransomware attacks. There is pressure building in many jurisdictions to introduce mandatory reporting of ransom payments to get a true picture of the extent of the problem.
Building cybersecurity compliance
The implementation of California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) require organizations to report how they store and manage customer data. Organizations are now faced with a growing number of requests around “right to know” and “right to erasure.” Without adequate processes in place, organizations struggle to meet the deadline for these requests, placing themselves in a vulnerable position. Furthermore, organizations also can face large fines for non-compliance for issues like ethical storage of information. In the year 2020 alone, fines exceeding £150 million were issued under GDPR.
In 2017, Australia amended a similar privacy act, requiring all Australian government agencies and private organizations with an annual revenue of more than $3 million to report a security breach to Australian Information Commissioner within 30 days of the incident. With increased compliance pressure and a surge in cyber attacks, companies cannot afford to ignore cybersecurity.
A proactive approach to security
To fully prepare for cyber threats, companies must implement rules and procedures that are tailored to their business. The creation of cybersecurity policies should not only include IT, but also business strategy teams and feedback from employees about their technology use. It is also important to maintain a balance between securing data and enabling easy access of required information for conducting business operations.
To effectively secure data, a company's cybersecurity must include all its networks, software, applications and hardware. All systems must be tested and assessed. Detailed documentation must be established outlining how attacks are detected, how systems are secured in the event of an attack, and how to initiate recovery after an attack. These systems should also provide clear guidelines for onboarding and offboarding employees.
Security is often an afterthought and integrated with technologies as an added layer. It is important to recognize cybersecurity as a critical function of digital business. Security should be at the center of all processes and is the key element in ensuring your long-term success.
ISG helps companies around the world understand the evolving nature of cybercrime, assess their own cybersecurity maturity and develop a roadmap to prevent, protect and stay resilient in the face of the risks.
About the author
Vanshika Madan is an Analyst with ISG Research.